IP account limiting doesn't play well with user authentication method

[sppmacd]

In the frontend, users don't see any credentials that allows them to authenticate, everything is done under the hood using cookies. They don't have any way to actually give the credentials, so it's easy to lose access to the account when you clear these. These users will quickly hit account limit per IP (because they create a new account every time when they connect to the server after resetting browser data), being effectively banned from the server.

Possible solutions:

• Implement "garbage-collection" of old unused accounts (so that the account is removed when it's not active since some time). The removal could take place when account limit per IP is hit.
  • How much time must pass to consider account "inactive"?
• (In the frontend) Show access token to the user so that they can save them and "log in" using it
  • Doesn't require backend changes, but is not as safe as real authentication (because of no hidden secret, credentials are assigned to users by the backend)
• Add something like "anonymous accounts" which would be removed after disconnection and could be used by people who clears cookies frequently (their stats won't be saved, as a tradeoff)
  • It would be hard to ban these users, but ban-by-IP could be used.
• Implement real authentication using username & password
  • Best, but would need most work

All of these solutions, except first, affects user experience or at least require modifying the frontend.